User Novulo as SSO provider for other Novulo applications

Wiki
1

This article describes how to configure Novulo applications as Single signon client and identity provider (idP).

Requirements

  • Basic knowledge of identity providers
  • M5637 - Novulo Single signon.
    • Ensure that this component is in the application that serves at the client.
  • M5638 - Novulo Single signon identity provider.
    • Ensure that this component is in the application that serves at the idP.

Client configuration

  1. Log in the application that serves at the client
  2. Add an identity provider via All apps > Application Maintenance > Users > Identity providers
  3. Set the following fields:
  • Type: Novulo (default value).
  • Name: The name for the idP as shown in the login screen
  • SAML Entity ID: The URL to your idP application. Include https:// and exclude /default.aspx
  • SSO Endpoint URL: Same as the SAML Entity ID
  • Active: Yes (default value)
  • Public key: Leave this empty for now, we’re going to fill it later.
  • Create local user account if not exists: Default is yes. Disable this if you want more strict control. When disabled you need to create the local user manually before that user is able to login via this idP.

afbeelding
afbeelding1134×339 19.9 KB

  1. Add an Identity provider role (via More > Roles) and set the following fields:
  • Name: Name of the role that you can refer to in the client configuration in the idP application
  • Rights profile: the rightsprofile that users get when they login via this idP with this role.
  • Active: Yes (default value)
  • Change rightsprofile: choose what fits you the best
    • Yes (default): Current rightsprofile of user will change to above value every time they login
    • No: Above rightsprofile is only used for new users and will not change when logging in
  • Fallback role when IdP does not send one: off (default).
  • Debug: off (default).

afbeelding
afbeelding550×243 7.62 KB

  1. Click the ‘Send request to identity provider’ button. You should get a confirmation message:
    “Request successfully sent to identity provider. When the request is authorized you can log on using single sign on.”
    If you get an error message “Unexpected error: Object reference not set to an instance of an object.” than likely your SSO Endpoint URL is incorrect.

Provider configuration

  1. Log in the application that serves at the idP.
  2. Go to All apps > Application maintenance > Users > Single sign-on requests.
    This overview shows a list of not-yet-aproved SSO clients. Here you should see the request that you’ve send from your client application. Open it.
  3. Copy the value from the ‘My public key’ field.
    Open your client application again and paste the key in the ‘Public key’ field.
  4. Edit the field ‘SSO Endpoint URL’ and add “/SSOprovider.aspx” at the end.

afbeelding
afbeelding1134×339 24.2 KB

  1. Open your idP application again and navigate to the SSO request.
    Click the ‘Toggle approved’ button. In the popup you can choose between:
  • Add to group (default): adds your new client to a SSO client group
  • Base on template: uses a template to add users or user groups.
    If you want to use templates you can configure these via All apps > Application maintenance > Settings > Single sign-on templates
  • Manual configuration: only approves the SSO client, but does not add users or user groups.
    Choose this option if you don’t have any templates or groups yet.

afbeelding
afbeelding547×171 3.46 KB

  1. Add a Single sign-on client user via the users overview on the SSO client page. Here you configure the local user and assign the appropriate role for this user.
  2. Test if your configuration works.
    There is an overview of logs on the Single sign-on client page (in your idP application) that shows useful information about succesful or failed SSO logins.

Troubleshooting and common errors

  1. After logging in i’m not getting redirected to the client application, but i’ve just logged into the idP application.
    Solution: wrong configuration of the SSO Endpoint URL in your client application. Check provider configuration step 4.
  2. Error: Client is not approved by provider
    Solution: approve the client in your idP application. Check provider configuration step 5.
  3. Error: “User is not authorized to login to client”
    Solution: there is no corresponding user found in the configuration of your client in you idP application. Check provider configuration step 6.
  4. Error: “A different public key is expected for this provider”
    First make sure you are using the correct URL (http / https) and there are no redirects.
    Also make sure in deployment you do have set the correct SSO.overrideissuer if this value is set. This key overrides the URL that is reporting the log on.
    If it worked in the past and now you get this message, the key in the store for the client application has changed. If the hardware or application pool has changed, this is expected, otherwise verify that the client is not compromised (hacked).
    Solution:
    a. Find in client in your idP application based on the URL it is identifying with
    b. Click the button ‘Toggle approved’ and make sure it is not approved
    c. Log on to the application with a local (admin) account
    d. Go to the identityprovider record
    e. Click the button ‘Send request to identity provider’
    f. Go back to your idP application and click ‘Toggle approved’ again, so the client is approved.
    g. Log off in the client application and log on using SSO